Category Archives: For Business

Web Application Security – A Complete Guide

OCD or just very fond of structure, I must confess that I like pretty much everything around me to be in (a specific) order. Due to this habit, I got used to working mostly with web applications, since I don’t like to have many windows opened on my taskbar and I prefer moving swiftly between my browser’s tabs. Recently, though, I’ve started to wonder: what does this mean in terms of web application security? 

To answer that question, let us start from the beginning and clarify what is a web application in the first place. 

According to SearchSoftwareQuality

A Web application (Web app) is an application program that is stored on a remote server and delivered over the Internet through a browser interface. […] Web applications do not need to be downloaded since they are accessed through a network. Users can access a Web application through a web browser such as Google Chrome, Mozilla Firefox or Safari. For a web app to operate, it needs a Web server, application server, and a database. Web servers manage the requests that come from a client, while the application server completes the requested task. A database can be used to store any needed information.

web application security: the anatomy of a web application Among the benefits of web applications we list:

a. Easier installation and maintenance 

It’s much easier to install, upgrade or maintain a web-based application than a standalone desktop application. Web applications are upgraded in the host servers, and every user can access the updated version as soon as the deployment had finished, without needing to update the application on their PCs. 

b. No download hassles

From an end-user perspective, this is probably the greatest advantage – with web applications, you don’t have to download anything in order to use the service. A compatible browser with Internet access is usually all you need. 

c. Use of less storage space 

When using a web application, you don’t have to worry about how much space and memory it needs on your device. Moreover, they can be accessed from any place in the world where there is an active Internet connection. 

d. Accessible on various platforms  

It’s safe to say that nowadays mobility is a great asset and it sure helps a lot not to depend on a certain device in order to complete your tasks. Web applications can be used on any platform (desktop, laptop, phone, tablet), wherever you are. 

Web applications may be: 

a. Static web applications 

These are the most basic type of web application, created using HTML and CSS. If you need to make any serious changes to it, it’s highly certain that you need to contact the ones who planned and designed it. 

b. Dynamic web applications 

Dynamic web applications can include databases or forums and have the constant ability to update or change the available information. 

c. E-commerce applications

E-commerce apps are more complex than the other two mentioned before, since they need a way to collect electronic payment. 

d. Portal web applications 

Portal web applications include forums, chats, emails etc. and are characterized by many different sections or categories which are accessible by way of a home page. 

e. Animated web applications 

It’s mandatory for this kind of applications to use FLASH technology. Animated web applications do not work with SEO optimization or positioning, because search engines cannot read their information properly. 

f. Content management systems 

Content management systems offer interfaces that can be accessed and updated and are used for personal or corporate blogs, media sites and so on. 

If we want to talk about web application security, though, we must first specify that web applications are related to the supply chain topic, which we covered here. Unfortunately but not surprisingly, as third-parties in your business workflow, web applications can be attacked in various ways, from database manipulation to large-scale network disruption. 

According to DARKReading

Positive Technologies’ analysis unearthed some 70 different types of vulnerabilities in total in Web apps. Security configuration errors—such as default settings, common passwords, full path disclosure, and other information-leak errors—were present in four out of five apps, making this class of vulnerability the most common. Cross-site scripting errors were present in 77% of applications; 74% had authentication-related issues, and more than half (53%) had access control flaws. 

Here are the main web application security threats that you need to be aware of: 

web application security: risks / threats

1. Cross-Site Scripting ( XSS)

In a cross-site scripting attack, hackers inject client-side scripts into webpages to get direct access to important information, to impersonate the user or to trick the user into disclosing sensitive data. If a visitor loads the compromised page, his/her browser may execute the malicious code. This kind of attack is not really the most sophisticated, but it is the most common. 

2. Cross-site request forgery 

This type of attack is a serious web application security vulnerability, involving tricking a user into making a request utilizing their authentication or authorization. By leveraging account privileges, attackers are able to send false requests. The common targets for cross-site request forgeries are the highly privileged accounts, like administrator or executive, which results in the exfiltration, destruction or modification of important information. 

3. Denial-of-Service (DoS) & Distributed denial-of-service (DDoS) attacks 

During a DoS or DDoS attack, hackers try to overload a targeted server or its surrounding infrastructure. When the server is no longer able to effectively process incoming requests, it will start to behave in an irregular manner, denying service to incoming requests from legitimate users. 

4. Data breaches 

Data breaches may occur through malicious actions or by mistake, but the consequence is the same: sensitive or confidential information gets leaked. Depending on the company who is unfortunate enough to experience a data breach, millions of user accounts can get exposed. 

5. Buffer overflow

The term buffer refers to memory storage regions that temporarily hold data during its transfer from one location to another. A buffer overflow/overrun happens when the data volume is bigger than the storage capacity of the memory buffer, which results in adjacent memory locations being overwritten with data. By overwriting the memory of an application, the execution path of the program is changed, which triggers a response that compromises files or exposes sensitive information. Moreover, extra codes that send new instructions to the application may be introduced to get access to the IT systems. 

6. SQL Injection (SQi) 

Structured Query Language (SQL) represents a programming language typically used in relational databases or data stream management systems, being very effective in querying, manipulating, aggregating data and performing an impressive number of other functions. In a SQL Injection attack,  the malicious players exploit vulnerabilities in the way a database executes search queries. 

7. Memory corruption 

Memory corruptions refer to that process in which a location in memory is unintentionally modified, possibly leading into unexpected behaviour. Hackers will try to exploit this by attempting code injections or buffer overflow attacks. 

8. Path traversal

Path traversal attacks refer to the injection of “../” patterns in order to move up in the server directory hierarchy, for the purpose of accessing unauthorized files or directories outside the webroot folder. Successful path traversal attack might allow hackers access to user credentials, configuration files or even databases. 

All these sound pretty alarming, but, fortunately, there are many options you can choose when it comes to web application security and protecting your company by detecting, preventing and responding to attacks. 

Here’s how you can enhance your company’s web application security: 

web application security - advice / precautions

1. Classify Web Applications 

The first thing to do if you want to avoid paying the fiddler is a matter of common sense – you must know the number of web applications your company uses and how are they being used. You cannot build a security system if you don’t know exactly what you need to protect. First step? Make a web applications inventory and try classifying them: very critical, critical, serious, normal. 

2. Apply the Principle of Least Privilege

Access management can make or break web application security. Not all users will need the same set of rights and privileges, so make sure that you confine the higher privileges to only a few. Automated solutions can be of great help here. Our Thor AdminPrivilege™, will make your life a lot easier if you decide to proactively manage, monitor and control privileged account access. 

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.
 

3.  Filter User Inputs

Input fields can be found in almost every web application. These sections, where users introduce data (text, images, file attachments), are often attacked in the attempt to corrupt or take over the web application, so make sure that your company uses filters

4. Use Application Monitoring 

By monitoring applications with the help of a web application firewall, you will be able to get some insights regarding what type of traffic flows in, what vulnerabilities are being blocked, what kind of inputs and responses the application is receiving etc. Both of our Thor Vigilance and Thor Premium include the firewall feature and can become your ally in your quest of implementing web application security. 

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

5. Perform Proper Testing 

Testing is a crucial aspect in cybersecurity. When it comes to the web applications your company uses, make sure your security experts perform penetration testing, in order to make sure that there are no logical flaws in the web applications you need to use. 

6. Update the Passwords Frequently 

This is another simple safety measure that every web application user can adopt. In order to stay safe is mandatory to use strong passwords that include special characters, numbers and letters. We wrote more about this topic here and here. In addition to strong passwords, a two-factor authentication method will make your accounts even more secure and will drastically reduce the cybercriminals’ chances to successfully attack your company. 

7. Properly Handle Sessions 

Web sessions consist of a series of HTTP requests and the responses of a user, in a certain period of time. Web application sessions are user-initiated and last till the end of the communication between two systems over a network. It’s important to properly handle these sessions if you want to avoid session hijackings, session sniffing, and cross-site scripting attacks.

8. Don’t Forget about Cookies 

Cookies are crucial for web application security, and yet they are often overlooked. They provide excellent cyber attacks targets since they contain valuable information which helps users to be remembered by the sites they visit. To avoid any nuisances, try not to use cookies to store sensitive information or consider encrypting it and don’t forget to always monitor and control the cookies’ expiry dates. 

Conclusion 

As Dafydd Stuttard and Marcus Pinto say in their book, The Web Application Hacker’s Handbook

There is no doubt that web application security is a current and very newsworthy subject. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts. 

Please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post Web Application Security – A Complete Guide appeared first on Heimdal Security Blog.

Privileged Account Management 101: How Can Privileged Accounts Compromise Your Security

When it comes to privileged account management (PAM), you might want to know: 

– what is a privileged account? 

– does it have any connection to “privileged access management” (also PAM)? 

– how do privileged accounts benefit your company?

– how many /what types of privileged account are there? 

– how can privileged accounts compromise your security?

– what can you do to ensure the cybersecurity of your company? 

If so, you have come to the right place – we will answer all this and more in the following lines. 

First, let us clarify that we call privileged accounts those accounts that have the most power inside an IT department and are used by the team to set up the IT infrastructure, to install new software or hardware, to run critical services or to conduct maintenance operations. To put it simply, privileged accounts can access an organization’s highly classified IT assets and the sensitive information stored within them. 

privileged account management - concept

Source: Teiss

As the acronym suggests, privileged account management is related to privileged access management: privileged access management tools monitor privileged accounts in order to ensure business safety. We wrote more about this here. You can also get into this further by learning more about the Zero Trust model, Insider Threats, why removing admin rights closes critical vulnerabilities in your organization, the Principle of Least Privilege (PoLP), and Identity and Access Governance.

How does privileged account management benefit your company? In several ways:

– it helps you maintain a complete list of active privileged accounts in your network, updating it whenever new accounts are created. 

– privileged identities (e.g. passwords) are stored in secure vaults. 

– enforce strict IT policies regarding password complexity, frequency of password rest, automatic reset, etc. 

– securely shares privileged accounts, granting every user the minimal permissions to fulfill their tasks. 

– monitors and records all privileged users in real-time.

– audits all identity-related operations: user logins, password access attempts, reset actions, etc.   

How many / what types of privileged accounts are there? 

Well, overall, privileged accounts can install system hardware/software, make changes in IT infrastructure systems, log into all machines in an environment, access sensitive data, reset passwords for others. 

privileged account management - tasks

They can be:

1. Local Administrative Accounts 

Non-personal accounts, which provide administrative access only to the localhost or instance. Local admin accounts are used for maintenance on servers, network devices, databases, etc. and usually have the same password across the entire organization. Local Administrative Accounts are the first accounts created during system installation and some companies give their credentials to every employee, which makes them easy targets. Default Administrative accounts cannot be deleted or locked out, only renamed or disabled. 

2. Privileged User Accounts 

These are named credentials that have been granted administrative privileges on one or more systems. They have unique and complex passwords, yet they must be constantly monitored and secured since they have access to very sensitive privileged data. 

3. Domain Administrative Accounts 

They have access across all workstations and servers, offering complete control and the ability to modify every administrative account, which makes them the most sensitive target of a cyber attack in an organization.  The access and usage to domain administrative accounts should be granted only on-demand, with additional security controls and their activity should be fully monitored and audited. 

4. Emergency Accounts

Also known as “fire calls” or “break-glass” accounts, they describe the situation in which an unprivileged user gets administrative access to secure systems, in case of emergency. For obvious security reasons, they require managerial approval. Emergency accounts are also helpful when it comes to restricting compromised accounts from being continuously abused. 

5. Service Accounts 

Service accounts are privileged local or domain accounts used by applications or services to communicate with the operating system. Coordinating their password changes is difficult because they can interact with many Windows components – not to mention that changing their passwords hardly ever happens. Also, this kind of privileged account does not expire. 

6. Active Directory or Domain Service Accounts 

Active Directory Domain Services represent the core functions that allow sysadmins to organize data into a logical hierarchy. Changing passwords here is a complicated job since they require coordination across multiple systems – this operation breaks the application(s) almost every time until the account is synced across the environment. 

7. Application Accounts

These allow applications to access databases, run batch jobs or scripts, or to provide access to other applications. Usually, they have broad access, so the passwords for this type of accounts are embedded and stored in unencrypted text files, which poses a significant risk to any organization. By compromising Application accounts, hackers can gain remote access, modify system binaries, or even elevate standard accounts to privileged. 

How can privileged accounts compromise your security?

According to the Netwrix Blog, “privileged user accounts are dangerous because they are so powerful, and that power can be misused in several different ways.” Specifically, 

1. Unintentionally

Unauthorized modifications to critical data can happen without thinking at any time. Plus, files that store sensitive data can be shared without checking the legitimacy of the business need, getting you in serious trouble. 

2. Maliciously 

Privileged accounts do have legitimate access rights, so if they engage in malicious actions, these would be pretty difficult to spot – if someone even thinks to check at all. Malicious use of privileged accounts is a serious threat, since these users’ activity may not be closely monitored or they usually have the expertise to dodge controls and do maximum damage without leaving any trace. 

3. By attackers 

Cyber attackers use a variety of techniques to obtain the powerful credentials of privileged accounts. Phishing, brute force or coercion are the most familiar. As the Netwrix Blog writes, 

The legitimate owner or user of the account might not even realize the account has been hijacked until it’s too late. Attacks often unfold like this: A hacker breaches the perimeter, takes control of a user’s PC, silently steals any privileged credentials cached there, and then moves from machine to machine looking for additional privileged users to hijack. In fact, hackers often dwell in the network undetected for months, steadily elevating their privileges until they are powerful enough to steal the organization’s intelligence.

As with almost everything in life, precaution is the key. But where do we start when we need to avoid serious privileged account management problems? 

Here are 5 key aspects you must consider in order to avoid privileged account management issues: 

1. Do you know all the privileged accounts in your company?

More than 50% of data breaches involve the use of privileged account access. If you don’t have a clear view of all the privileged accounts in your company, there’s a high probability you’ll have to deal with such a breach. Moreover, your security team must be able to apply the right controls to new systems and applications. 

2. Can you properly secure privileged credentials? 

Privileged credentials should not be shared among IT admins and should not be visible to end-user admins. Passwords and secure shell (SSH) keys should be rotated, random and should expire regularly – you don’t want static passwords to offer cyberattackers root access to your systems and data. If you do not take care of this aspect and do not use the principle of least privilege and multifactor authentication, phishing or man-in-the-middle attacks (no, not winter) might be coming. 

3. Can you identify privileged account use irregularities?

You should be able to monitor privileged accounts for any unusual behaviours and log activity information for later reviews. This should help you draw up a baseline of normal behaviour, which will help you catch deviations and, if need be, trigger alerts. The faster you detect an unusual incident, the better. 

4. Can you take quick action when you find suspicious activity?

As we said, the faster you detect a privileged account management irregularity, the better. Try to make sure that you can automatically shut down a privileged session based on unusual activity. It is not recommended to this manually,  because this might leave the attacker enough time to provoke irreparable damage.  

5. Can you recover/restore data after an incident? 

It is crucial to recover and restore data quickly after a data breach or system failure. The same goes for credentials – recovering them after an attack allows you to maintain control. A PAM solution can help you with this. 

Bearing this in mind…

Here are some precautions you can take in order to avoid compromised privileged account management: 

privileged account management - advice

1. Provide training to all your employees 

All your employees should be able to recognize suspicious or unsecure behaviour. This aspect is particularly important nowadays, since phishing and social engineering attacks are getting more sophisticated and more and more personal devices are being used for business purpose. 

2. Be proactive

Make a habit of actively monitoring and routinely auditing any privileged user accounts with elevated permissions, de-credential user accounts that no longer require elevated permissions, set appropriate expiration dates in order to avoid accumulated privileges. 

It’s also useful to perform a data risk evaluation in order to know exactly what privileged accounts have access to sensitive data, because those accounts need higher security scrutiny and protocol. 

3. Always change default credentials 

It’s mandatory to change default credentials when you set up a new account, application or system. Default credentials like “admin” or “12345” are always a top priority for hackers because they are, obviously, totally easy to crack. 

4. Adopt least privilege policies 

Although some users sometimes need more rights and have more responsibilities than regular users, there are times when they’re over-privileged. It’s better to configure a standard user and then elevate their privileges when needed. 

5. Analyze behaviour 

Look for any anomaly regarding when, from where, and how privileged accounts are used. You will only notice the irregularities if you first establish what normal looks like. 

6. Consider automation 

Automated solutions, like our Thor AdminPrivilege™, will make your life a lot easier because they help you proactively manage, monitor and control privileged account access. A Privileged Access Management tool is vital for scalability and it’s not only about managing user rights, but also about the fast flow of software installs, about logs and audit trail, about achieving data protection compliance. 

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

7. Don’t forget to protect your endpoints

You need an endpoint protection solution in order to keep malicious code that might get into your system from running. Thor Foresight Enterprise can help you prevent exploits, ransomware and data leakage at DNS level and hunt, detect and respond to threats faster. 

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

You can also make sure that your company is protected against any dangerous emails your privileged users might receive with MailSentry Fraud Prevention, which notifies you about fraud attempts, business email compromise (BEC) and impersonation. 

Heimdal Official Logo

Email communications are the first entry point into an organization’s systems.

MailSentry

is the next-level mail protection system which secures all your
incoming and outgoing comunications
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);
Try it for FREE today Offer valid only for companies.

8. Record sessions 

If an attacker manages to obtain access to your system, you must be able to determine to which purpose he used the credentials, if any data got exfiltrated, if malware was inserted into any of your servers, which databases were compromised.  Thor AdminPrivilege™ can also help you with this aspect. 

Wrapping Up…

As Security Intelligence says, “Privileged account management (PAM) is emerging as one of the hottest topics in cybersecurity — and it’s easy to understand why. Cybercriminals are relentless when it comes to finding and compromising their targets’ privileged credentials to gain unfettered access to critical assets.” You should have some peace of mind, though, if you adopt a proactive attitude and take safety measures. 

Also, please remember that Heimdal™ Security always has your back too and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post Privileged Account Management 101: How Can Privileged Accounts Compromise Your Security appeared first on Heimdal Security Blog.

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

DNS Security alludes to the protection measures that involve the DNS protocol. As you may already know, the DNS (Domain Name System) has not been created through a security-by-design approach. And in today’s digital world, with Internet users demanding smooth and stable online interactions, DNS has become more challenging to handle than ever.

What is DNS?

DNS was built in the early 1980s with the purpose to solve the issues posed by the early Internet (the ARPAnet), which used to hold name to address translations in a single table on a single host (HOSTS.TXT).

In 1983, Paul Mockapetris proposed a new framework that involved a dynamic, distributed system – the DNS.

Following the official creation of the Internet Engineering Task Force (IETF) in 1986, DNS turned into one of the first Internet Standards. Instead of merely looking up hostnames, DNS now provided readily recognizable IP address names, enabling the Web to become more convenient for regular usage.

Without it, the Internet as we know it today wouldn’t exist.

To provide more context into the DNS resolution process, every time a domain is purchased from one of the domain registrars, a unique IP address gets assigned to it, which allows for the localization of the site. Whenever someone wants to visit a website, a DNS query is run. Simply put, the DNS server searches for the IP address and after it has been found, your browser will connect to the server that hosts the website. This process includes multiple steps (that are performed in a split second), which I’ve described in this article.

Essentially, the DNS, which supports the Internet presence of your company, is a centralized network run by different organizations worldwide. In short, it comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names.

Is DNS secure?

In the best-case scenario, whenever you type in a domain name (which is translated into an IP address), you will end up on your desired website. This is commonly the case, however, a simple DNS query might not always turn out as planned. It’s not news anymore that many – both simple and sophisticated – DNS threats are often encountered in the wild.

DNS spoofing/poisoning, Man-in-the-Middle-Attacks, DDoS Attacks, to name a few, are DNS threats lurking out there.

Why is DNS insecure? The answer is simple.

First of all, back when the DNS was invented, security threats were not prevailing, as it is now the case. During those times, we were dealing with a much smaller and much more secure environment, but as its magnitude and availability increased, the more promising it started to look in the eyes of malicious actors. Secondly, throughout time, multiple additions were made to the infrastructure of the DNS – and sometimes, perhaps without much circumspection. These aspects have contributed to the lack of security of the DNS.

It should come as no surprise that a myriad of DNS threats is now endangering companies large and small and regular consumers alike. Yet, ensuring DNS security is important for the digital identity of any business, as well as for maintaining the security and integrity of its internal applications.

According to IDC’s 2020 Global DNS Threat Report:

  • 79% of organizations were victims of DNS-based attacks.
  • On average, each organization was affected by 9.5 DNS attacks.
  • The average cost per attack was $924k.
  • DNS attacks determined application downtime for 82% of organizations.
  • 75% of attacks were not mitigated automatically.

As you can see, DNS threats are to be taken seriously and addressed properly as they are getting more common, complex, and costly. Therefore, it is crucial to safeguard the DNS layer and protect your organization’s money, customers, and reputation.

How to achieve DNS security

Malicious hackers can leverage the DNS in different ways, either by altering the way it works or by abusing the DNS servers’ vulnerabilities.

In any case, the aftermath of all DNS attacks will most probably have a huge impact on your organization. Without DNS security protection measures in place, your business will be left exposed.

Thus, in addition to other threat prevention and mitigation methods that your company ought to have in place (such as vulnerability management, email security and Business Email Compromise prevention, Privileged Access Management, and Antivirus), it’s also essential to keep DNS security as a fundamental part of your cybersecurity foundation.

Below I’ve listed three essential DNS security protection measures that you should deploy.

1.    DNSSEC (DNS Security Extensions)

In 1997, the IETF released the first RFC (Request for Comments) about DNSSEC (Domain Name System Security Extensions) – these are specifications that help protect the DNS.

DNSSEC ensures the security and confidentiality of data (an aspect that is not normally handled through DNS), serving as a cornerstone for digital trust and preventing DNS threats like cache poisoning.

DNSSEC servers digitally sign all server answers. Through signature checking, a DNSSEC resolver can verify if the data that came from a valid server is identical to the data on the authoritative DNS server. If this is not the case, the request will be denied. Also, DNSSEC is able to detect Man-In-The-Middle attacks thanks to the data origin authentication – however, keep in mind that it does not prevent these attacks.

2.    DNS Filtering

DNS filtering is a great solution to prevent access to malicious domains and webpages.

As I’ve already explained in this article, in very simple terms, the DNS server searches for the IP address of the domain you want to access, which then allows your browser to load the website.

Now, referring to the DNS resolution process in relation to how DNS filtering works, you must also bear in mind an additional step.

This means that before the DNS resolution is completed, every new request will be checked. Should a webpage or domain be known as malicious, the DNS filter will block the request and the browser will be directed to a webpage that states the site can’t be accessed.

For instance, HeimdalTM Security’s DNS-filtering technology scans your traffic and blocks access to malicious websites that can potentially infect your system with malware.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

In a nutshell, we maintain a blacklist of malicious IP addresses/webpages and ensure that access to them is restricted. Not only that, but by using the Darklayer GUARD™ engine, a highly advanced endpoint traffic-based DNS security solution, our customers can Hunt, Prevent, Detect, and Block DNS threats.

Through its unique Threat to process correlation (TTPC) technology, we also offer the ability to identify users and processes at risk and proactively hunt for network-based threats. Furthermore, Darklayer GUARD™ offers a full Category based (Social, Advertising, etc.) blocking system for system administrators to choose from.

DarkLayer GUARD™ is deployed in tandem with VectorN Detection™ and they provide our users with HIPS/HIDS and IOA/IOC capabilities by using Neural Network Transformed AI for device-to-infrastructure communication to stop attacks that traditional Antivirus and Firewalls are unable to detect.

Thanks to the Bloom filter that we are using, this becomes an extremely low-latency solution, which guarantees no delay when accessing safe websites.

We deploy these DNS security technologies both at the endpoint-level (with Thor Foresight Enterprise) and at the perimeter-level (with Forseti).

 
Heimdal Official Logo

Increasingly, hackers target organizations at network or DNS traffic level.

FORSETI

FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
  • Full DNS protection and full network logging.
  • Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and IOA/IOC add-on to your network.
  • An easy way to add network threat prevention, detection and blocking.
Try it for FREE today Offer valid only for companies.

3.     Monitoring DNS activity

By monitoring your DNS activity and logs, you can notice suspicious traffic patterns that can reveal key indicators of compromise. For example, unforeseen changes in the volume of traffic may suggest malicious DNS activity. Our VectorN Detection™ uses machine learning to establish compromise patterns and offers IOAs and IOCs, enabling a unique add-on that will enhance your endpoint security.

Conclusion

DNS is a vital digital structure and one of the Internet’s foundations, which integrates everything related to the IT infrastructure – basically, all the information that circulates between servers and users. So, it is no wonder that it has turned into an attractive target for attackers. All in all, it’s imperative to take decisive steps to enforce and sustain DNS protection measures and keep your organization away from cybercrime.

How do you ensure DNS security in your organization? Leave us a comment in the section below!

The post DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe appeared first on Heimdal Security Blog.

Cloud Computing Threats: Beyond Vulnerabilities

When you hear the term cloud computing, know that it has little to do with the famous cloud number 9 some sing about – it is a key concept in the current and future evolution of technology. Like everything else, though, it has its strengths and downsides, so let us have a closer look at some of the most relevant cloud computing threats and vulnerabilities, not without first defining the notion. 

According to Edwards Zamora

Cloud computing consists of the set of systems and services working in unison to provide distributed, flexible, and measurable resources to consumers of cloud services. The National Institute of Standards and Technology (NIST) defines cloud computing as a model that consists of on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service (Mell & Grance, 2011). Essentially, cloud computing allows consumers to provision for themselves resources available from a cloud services provider. Consumers are able to access their cloud resources from a wide variety of devices including mobile, thin clients, and traditional desktops. […] Physical and virtual systems are combined to provide consumers with resources dynamically without the user needing to know the details of how it all works.

cloud computing threats and vulnerabilities - cloud computing concept 1

Source: Cloud Testing Methodology,  Edward Zamora  

As i-SCOOP notes: 

Cloud computing is also one of the essential enablers of Industry 4.0, has been shaping the software and business applications market for over a decade, has an important place in the development of the Internet of Things and is essential to manage data, including big data, to give just a few examples.

cloud computing threats and vulnerabilities - cloud computing metaphor

 

Cloud technology is also used for hosting popular services like e-mail, social media, business applications. The average person checks their phone 221 times per day to look at e-mails, browse the Internet or use smartphone applications. Besides, 82% of large enterprises are now using cloud computing and up to 78% of small businesses are expected to adopt cloud technology in the next few years. 

Depending on the delivery methods, the 4 main cloud delivery models are the following: 

Public Cloud – owned and operated by a third-party provider, can be used by everyone, so it’s publicly accessible. Examples: Microsoft Azure, Google. 

Private Cloud – a distinct cloud, whose main key trait is privacy, which can be used in several ways by a specific organization. 

Hybrid Cloud – a computing environment which combines a public cloud and a private one (or more) by allowing the exchange of data and applications between them. 

Community Cloud – a cloud used by a community of people with, possibly, shared or common profiles, for a common shared purpose. 

Depending on the types of services and resources a customer subscribes to, here are the 3 main cloud services available: 

Software as a Service (SaaS). The choice of most businesses, SaaS utilizes the Internet to deliver applications that are managed by a third-party vendor to the users. Many SaaS applications run directly through the web browser, meaning they do not require to be downloaded or installed. 

SaaS is the best option for: 

– short-term projects that require quick, easy and affordable collaboration. 

– startups or small companies that need to launch e-commerce quickly. 

– applications that need both web and mobile access. 

– applications that aren’t needed very often. 

Platform as a Service (PaaS). Cloud platform services deliver a platform that can be modified by developers to create customized applications. 

PaaS is particularly useful when:

– multiple developers are working on the same development project. 

– other vendors must be included, PaaS providing great speed and flexibility to the whole process. 

– you need to create customized applications. 

– you are rapidly developing and deploying an application, because it can reduce costs and simplify challenges. 

Infrastructure as a Service (IaaS). Cloud infrastructure services are made of highly scalable and automated compute resources. IaaS is self-service for accessing and monitoring computers, networking, storage and so on, allowing businesses to purchase resources on-demand. 

IaaS is most advantageous:

– for small companies or startups, to avoid spending time and money on purchasing and creating hardware and software. 

–  for larger companies, who want to purchase only what they actually consume / need. 

– for companies who experience rapid growth and want to change out easily specific hardware and software. 

cloud computing threats and vulnerabilities - cloud service models

Among the benefits of cloud computing we mention: 

A. Mobility

Cloud computing allows mobile access to your company’s data via various types of devices – smartphones, tablets, laptops, which is particularly useful in the context of the Coronavirus and work from home policy. 

B. Easy to scale server resources

Most cloud servers provide access to an intuitive site management dashboard where you can view your site’s performance in real-time. Server resources can be scaled up or down on the spot, without having to wait for your hosting provider’s approval.   

C. Safety from server hardware issues and loss prevention

By choosing a cloud service you make sure you avoid any physical server issue like hacking, hardware failure or system overload. We could also include here natural disasters or fires that could destroy your equipment. Most cloud-based services provide data recovery for all kinds of emergency scenarios, from natural disasters to power outages. 

D. Faster website speed and performance 

Usually, a cloud server should equal whipping speed, which will allow you to increase your site’s capacity, providing you with a great competitive edge. 

E. Automatic software updates 

Any busy man knows how irritating having to wait for system updates to be installed is. Instead of forcing an IT department to perform a manual, organisation-wide, update, cloud-based applications automatically refresh and update themselves.   

F. Sustainability 

If you aim to have a positive impact from an environmental point of view too, bear in mind that by choosing cloud computing you help cut down on paper waste,  improve energy efficiency and reduce commuter-related emissions.  

As I already mentioned, cloud computing can bring amazing benefits to companies, but it also has its downsides. If we want to discuss cloud computing threats and vulnerabilities, though, we must not forget the context of the times we live in. 

According to Gartner

The shortage of technical security staff, the rapid migration to cloud computing, regulatory compliance requirements and the unrelenting evolution of threats continue to be the most significant ongoing major security challenges. However, responding to COVID-19 remains the biggest challenge for most security organizations in 2020. 

“The pandemic, and its resulting changes to the business world, accelerated digitalization of business processes, endpoint mobility and the expansion of cloud computing in most organizations, revealing legacy thinking and technologies,” says Peter Firstbrook, VP Analyst, Gartner.

Here are the main cloud computing threats and vulnerabilities your company needs to be aware of:

1. Lack of Strategy and Architecture for Cloud Security 

Many companies become operational long before the security strategies and systems are in place to protect the infrastructure, in their haste to migrate to the cloud. 

2. Misconfiguration of Cloud Services 

Misconfiguration of cloud services is a growing cloud computing threat you must pay attention to. It is usually caused by keeping the default security and access management settings. If this happens, important data can be publicly exposed, manipulated or deleted. 

3. Visibility Loss 

Cloud services can be accessed through multiple devices, departments and geographic places. This kind of complexity might cause you to lose sight of who is using your cloud services and what they are accessing, uploading or downloading. 

4. Compliance Violation 

In most cases, compliance regulations require your company to know where your data is, who has access to it, how it is processed and protected. Even your cloud provider can be asked to hold certain compliance credentials. Thus, a careless transfer of your data to the cloud or moving to the wrong provider can bring potentially serious legal and financial repercussions. 

5. Contractual Breaches 

Any contractual partnerships you have or will develop will include some restrictions on how any shared data is used, how it is stored and who has authorized access to it. Unknowingly moving restricted data into a cloud service whose providers include the right to share any data uploaded into their infrastructure could create a breach of contract, which could lead to legal actions. 

6. Insecure Application User Interface (API) 

Operating systems in a cloud infrastructure is sometimes done through an API that helps to implement control. API’s are sets of programming codes that enable data transmission between one software product and another and contains the terms of this data exchange. 

Application Programming Interfaces (API) have two components: technical specification describing the data exchange options, in the form of a request for processing and data delivery protocols, and the software interface written to the specification that represents it. 

cloud computing threats and vulnerabilities - how does API works

Source: Medium 

Any API can be accessed internally by your staff and externally by consumers – the external-facing API can represent a cloud computing threat. Any insecure external API might become a gateway for unauthorized access to cybercriminals who might steal data and manipulate services. 

7. Insider Threats 

Your employees, contractors and business partners can, without having any malicious intent, become some of your biggest security risks due to a lack of training and negligence, as we have already shown. Moving to the cloud introduces a new layer of insider threat, from the cloud service provider’s employees. 

Since it is clear, although there are so many threats and vulnerabilities, that cloud computing could be really helpful to any company if used correctly and that it is here to stay, let us now mention some of the safety measures you can take. 

Here’s what you can do to efficiently combat cloud computing threats and vulnerabilities: 

1. Manage User Access

Not every employee needs access to every application, file or bit of information. By setting proper levels of authorization you make sure that everyone gets to view or manipulate only the data and the applications necessary for them to do their job. 

2. Deploy Multi-Factor Authentication 

Stolen credentials are one of the most common methods hackers use to get access to your company’s online data. Protect it by deploying multi-factor authentication and make sure that only authorized personnel can log in and access data. 

3. Detect Intruders with Automated Solutions that Monitor and Analyze User Activity 

Abnormal activities can indicate a breach in your system, so try using automated solutions that can help you spot irregularities by monitoring and analyzing user activities in real-time. This is a very efficient tool in the combat against cloud computing threats and vulnerabilities. 

4. Consider Cloud to Cloud Back-Up Solutions 

The chances of losing data because of your cloud provider’s mistake are pretty low – unlike losing them due to human error. Check with your cloud provider for how long they store deleted data, if there are any fees to restore it or turn to a cloud to cloud back-up solution. 

5. Provide Anti-Phishing Training for Employees 

The Heimdal™ Security team is very fond of education – we really believe that knowledge is power and that many things can be confronted if we know about them and try our best to prevent them. It goes without saying that we recommend you to discuss with all your employees about the dangers of phishing. (We actually wrote more about this herehere and here.)

6. Develop an Off-Boarding Process to Protect against Departing Employees 

Always make sure that the employees that leave your company can no longer access your systems, data or customer information by revoking all the access rights. You can manage this internally or outsource the task to someone who knows how to implement the process. 

Heimdal™ Security can also help. Here’s how! 

In our opinion, you can choose between 3 approaches – or opt for all of them if you want top cybersecurity for your company:

Manage user access with Thor AdminPrivilege™ , our Privileged Access Management (PAM) software which helps your organization achieve not just better cybersecurity, but also full compliance and higher productivity. Thor AdminPrivilege™ will allow your system admins to approve or deny user requests from anywhere or set up an automated flow from the centralized dashboard.  Moreover, all the activity will be logged for a full audit trail. 

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

Prevent any phishing attempt with MailSentry Fraud Prevention, our revolutionary communications protection system which alerts you to fraud attempts, business email compromise (BEC) and impersonation. MailSentry Fraud Prevention monitors all of your e-mails, can detect BEC, CEO frauds phishing attempts and Imposter Threats, offering you live monitoring and alerting 24/7 from a specialist fraud team. 

Heimdal Official Logo

Email communications are the first entry point into an organization’s systems.

MailSentry

is the next-level mail protection system which secures all your
incoming and outgoing comunications
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);
Try it for FREE today Offer valid only for companies.

Enjoy the benefits of a complete endpoint security solution with Thor Premium Enterprise, our multi-layered security suite that brings together threat hunting, prevention, and mitigation, securing any device that connects to your cloud.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Whatever you choose, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post Cloud Computing Threats: Beyond Vulnerabilities appeared first on Heimdal Security Blog.

What is Privileged Access Management (PAM)?

Privileged Access Management ensures business safety through privileged accounts monitoring, preventing external and internal threats that result from the improper use of admin rights. It is based upon the Principle of Least Privilege, where users are given the absolute minimum access necessary to complete their responsibilities.

If you are concerned about intentional insider threats only, you are barely scratching the surface.

It should come as no surprise that admin rights are not only abused by malevolent employees. They can be leveraged for nefarious purposes by malicious hackers who break into privileged accounts and gain access to your systems. As a result, they have the ability to create additional users with elevated rights or view, edit, and delete your data as they please.

But Privileged Access Management (PAM) ensures you are the only one completely in charge and that you are able to manage and mitigate threats.

In the past, we’ve extensively written about PAM-related topics such as the Zero Trust model, Insider Threats, why removing admin rights closes critical vulnerabilities in your organization, the Principle of Least Privilege (PoLP), and Identity and Access Governance. Now, it’s time to connect the dots and provide you with a complete overview of Privileged Access Management – what it means and why this concept should be followed by any organization, regardless of its size.

In this article, I will also shed some light on the risks of privilege accounts and why it’s essential to effectively manage them. What’s more, I will try to equip you with the resources and tactics needed to safeguard your business against data theft and lateral movement and look at how you can spot and prevent malicious activities and insider/external attacks, so that your business remains cyber resilient.

What is Privileged Access Management?

Privileged Access Management follows the Principle of Least Privilege, which is based upon the idea that all users should have access only to the information and systems they fundamentally need to perform their job functions. The theory of least privilege is commonly recognized as a standard practice in cybersecurity, being an important move towards securing privileged access. Through following the least privilege concept, companies will minimize the danger of insider and external threats, which otherwise can result in expensive data breaches.

PAM is intended to track, handle, and control privileged accounts, also being aimed at supporting organizations in the effort to protect access to sensitive data and follow the latest legal requirements. Every organization should rely on PAM to be secured against risks raised by the misuse of privileges.

Privileged Access Management refers to a holistic protection approach that involves individuals and technologies and aims to track, manage, protect, and inspect all elevated sessions within an IT ecosystem.

Why apply PAM?

The only method of preventing threats is by effectively managing and tracking privileged user sessions. Through streamlining the authorization and control of privileged accounts, PAM lets organizations stay in control and be safe from both intentional and unintentional admin rights abuse.

People are starting to acknowledge the importance of Privileged Access Management, which is being reflected by the growing size of the market, as you can see below. The chart shows the PAM market size from 2013 to 2016 and a forecast for 2020. In 2016, the privileged access management market was worth $900 million worldwide.

Source: Statista.com

Privileged Access Management Stats

Here are some interesting facts regarding Privileged Access Management that you should be aware of:

  • 90% of organizations feel vulnerable to insider threats (Source)
  • 74% of organizations that have been breached in the past say it involved privileged access credential abuse (Source)
  • Forrester states that 80% of data breaches are connected to compromised privileged credentials (Source)
  • Gartner has identified PAM as one of the top 10 security projects for organizations in 2019 (Source)
  • The Ponemon Institute reports that 49% of organizations don’t have any policies for assigning privileged user access (Source)

The list could continue. However, I hope I’ve managed to paint a picture of the insider threat and admin rights abuse landscape and their relationship with Privileged Access Management.

Types of privileged accounts

Before I dive into more details, please keep in mind that not all privileged accounts within an organization are the same.

In simple terms, a privileged account is used to accomplish certain activities that standard user accounts are not able to, and are used to access critical data and systems.

These accounts are necessary for maintaining your IT infrastructure. However, if their credentials ever end up in the wrong hands or are misused by malevolent insiders, the damage can be irreversible. Having a strong privileged user monitoring is essential to hindering attackers and preventing them from causing major harm to your systems.

The Institute of Forensics and ICT Security lists seven different types of privileged accounts you need to know about:

1.    Local Administrative Accounts

These are non-personal accounts, which only provide the local host or instance with administrative access. They are used for conducting maintenance on workstations, servers, databases, etc. and they often use the same password for ease of usage across an entire network. Due to the shared password policy, they become a desirable target for cyberattacks.

2.    Privileged User Accounts

They are named credentials on one or more systems and are granted administrative privileges. These are usually one of the most popular types of accounts on a corporate network, enabling users to have administrator privileges (for example, to their local desktops or on the networks they operate). Privileged User Accounts often use complex passwords and the power that they possess over networks necessitates a constant oversight of their usage.

3.    Domain Administrative Accounts

Domain Administrative Accounts provide control over all of the organization’s workstations and servers. Although such accounts are small in number, they have the largest and most reliable network-wide connectivity. Having complete control over domain controllers and the right to change the membership of each administrative account within the domain, a breach of these privileged accounts is always a huge risk for any company.

4.    Emergency Accounts

Emergency Accounts offer administrative access for unprivileged users to protected systems throughout an emergency and are often referred to as ‘firecall’ or ‘break-glass’ accounts. For safety reasons, access to such accounts usually requires management’s consent and they generally involve an unreliable manual procedure that lacks auditability.

5.    Service Accounts

These accounts can be privileged local or domain accounts and are used to communicate with the operating system through an application or service. In certain instances, some Service Accounts have administrative privileges based on the application specifications under which they are used. Local Service Accounts have the ability to connect with Windows elements, thus password changes coordination becomes challenging.

6.    Active Directory or domain service accounts

Password modifications may be much more complicated for these accounts, as they involve coordination across several systems. This problem also contributes to a widespread pattern of seldom changing service account passwords, which poses a significant risk across an organization.

7.    Application Accounts

Application Accounts are used to access databases, run batch jobs or scripts, or facilitate access to other apps. Typically, they facilitate access to underlying company information through applications and databases. Passwords for these accounts are frequently embedded and maintained in unencrypted text files, a flaw that is repeated through several servers to have better tolerance for applications with faults. This weakness presents a significant danger to an enterprise, as the apps also contain the data that APTs seek.

Privileged Attack Vectors

In “Privileged Attack Vectors”, Morey J. Harber mentions six stages of insider attacks – which are similar to external threats.

1.    Infiltration – Insider and External Threats

External threats no longer represent the primary threat to an organization. Infiltration can happen through various attack vectors, and internal access is one of them.

2.    Command and Control

Intruders can easily establish a connection to a C&C server to access toolkits and payloads and receive further commands. This helps them assess the environment and prepare their next steps.

3.    Privileged escalation attempts

Threat actors start learning about your network and identifying the privileged accounts and key assets, looking for ways to collect passwords and take advantage of the user rights they have already abused.

4.    Lateral movement between assets, accounts, resources, and identities

Threat actors then exploit stolen credentials to compromise additional assets and accounts using lateral movement, continuing the propagation and navigation through the target’s environment.

5.    Searching for additional opportunities

The purpose of threat actors is, of course, to remain undiscovered. This way, they can and extend their reach from vulnerabilities to compromised identities utilizing multiple attack vectors, installing malware, and identifying additional targets.

6.    Data exfiltration or destruction

Eventually, the threat agents gather, store, and exfiltrate data and sometimes infect your systems with malware (ransomware – in most cases). You must keep in mind that an entire series of attacks can be conducted by an internal or an external threat. Obviously, an insider’s knowledge can speed up all of these steps and bypass security controls.

Why properly managing privileged accounts matters

Through implementing processes to handle privileged accounts, organizations will fix problematic user behavior, reduce the vulnerabilities associated with privileged accounts, and ensure that privileged accounts are used safely.

In addition, managing accounts with elevated rights are also turning into a matter of compliance, as authorities are enacting legislation that outlines the measures that companies need to follow to control their privileged accounts.  Hence, poor management of these accounts does not only pose security dangers, but it may also prompt regulating bodies to enforce penalties.

Privileged accounts are the key to a company’s data and systems, which is why they are coveted by malicious hackers. In fact, it should come as no surprise that many major cyber-attacks involved the abuse of privileged accounts (some examples include the data breaches of JPMorgan Chase and Home Depot).

As you’ve noticed, all privileged accounts are highly sensitive assets in any organization and must be taken seriously. Systems will never be completely protected unless privileged accounts are fully secured.

This is where PAM comes into play, enabling the existence of a set of processes and resources that provide complete insight and power to IT teams over who has access to the most sensitive structures in an enterprise.

Essentially, Privileged Access Management tools offer a wide range of features, such as the possibility to log and record all privileged sessions. For instance, Thor AdminPrivilegeTM, HeimdalTM Security’s response to PAM has been translated into a highly elaborate solution that allows for both the escalation and de-escalation of user rights. What’s more, when used in tandem with our threat prevention, detection, and hunting suite, it becomes the only software on the market to automatically de-escalate users’ rights, should an infection be discovered on the machine.

Implementing your PAM program

To avoid system intrusions, you must implement a carefully planned and robust Privileged Access Management program. This way, you will successfully mitigate and prevent threats and secure your privileged accounts.

Here are the fundamental aspects a good PAM program should contain:

  • Having a strong password management policy in place.
  • Logging and recording all privileged user sessions.
  • Following the Zero Trust model and applying the Principle of Least Privilege – in other words, not keeping unnecessary privileged accounts in your environment.
  • Implementing a leading-edge Privileged Access Management tool.

Heimdal Official Logo

System admins waste 30% of their time manually managing user rights or installations.

Thor AdminPrivilege™

is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

All of the above ensures that sensitive accounts and passwords are immune to attacks. Furthermore, if credentials are ever breached, the harm can be mitigated thanks to the PoLP concept, where no employees are operating with more privileges than they actually require – and should they ever need their rights to be elevated, their sessions will be monitored for suspicious behavior and will last for a limited time only.

These practices will make it highly difficult for malicious actors to leverage privileged accounts as a compromise method.

Conclusion

IT professionals are nowadays forced to simultaneously keep up with the accelerated evolution of attack vectors and facilitate safe access, in a timely manner, to an organization’s systems and resources.

Our Thor AdminPrivilege™ is a secure and intuitive PAM solution and by far the most advanced Privileged Access Management tool, which allows both the escalation and de-escalation of user rights. Sysadmins can remove permanent rights and grant rights to users only when they need them and for a specified period. All granted rights can be revoked anytime you want and all actions performed during the escalation period are logged for a full audit trail. What’s more, when used together with Thor Foresight, Thor Vigilance, or Thor Premium, it becomes the only software that automatically de-escalates user rights, should any threats be detected on the machine.

How do you manage user rights in your organization? What are your thoughts on Privileged Access Management? I would love to hear your thoughts in the comments section below!

The post What is Privileged Access Management (PAM)? appeared first on Heimdal Security Blog.

A Complete Guide to IoT Security for Your Business

We might feel that technology plays a big part in our lives, always with our eyes on our phones or turning on the TV immediately after we got home – maybe even consider, in a certain way, that electronic gadgets are part of our family, like Mildred from Fahrenheit 451, Bradbury’s famous dystopia. We must not forget, though, that although technology has had a huge contribution to the evolution of human civilization, our devices can also be seen as a source of possible threats, especially if they are connected to the Internet. This happens because Wi-Fi routers, Smart TVs, smart cameras, smart locks, smart lights, voice assistants, some medical devices or Internet-connected cars fall into the category of the so-called Internet of Things and can become the target of cybercriminals. 

The Internet of Things (IoT) describes the physical objects that are embedded with software, sensors and other technologies that allow them to connect and exchange data with other devices and systems over the Internet. 

The emergence of IoT has been fostered by a series of factors that include: 

Connectivity. Hosts of network protocols for the Internet easily connect sensors to the cloud and “things”, streamlining data transfer. 

Access to low-cost and low-power sensor technology. Nowadays, manufacturers use affordable and reliable sensors. 

Cloud platforms. Cloud platforms’ increase in availability enables both businesses and consumers to benefit from their advantages, without having to manage them. 

Machine learning and analytics. The advances in machine learning and analytics plus the vast amounts of data stored in the cloud allow companies to gather insights faster and more easily. 

Rise of conversational artificial intelligence (AI). IoT devices (like the digital personal assistants Alexa, Cortana and Siri)  can now benefit from natural-language processing due to advances in neural networks. 

IoT security for business concept image

Source: https://www.i-scoop.eu/internet-of-things-guide/

As i-SCOOP shows, “In 2020 the number of IoT endpoints is forecasted to reach 5.8 billion endpoints, as mentioned a 21% increase from 2019. […] The fastest-growing segments in terms of IoT endpoints installed base: building automation, automotive and healthcare. The second-largest user of IoT endpoints is physical security, says Peter Middleton. Here building intruder detection and indoor surveillance use cases will drive volume.” Other industries use as well this kind of technology, so this growth tendency only underscores the importance of IoT security for business. 

IoT security for business - selected segments

Source: https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io

The major benefits of IoT secure devices for your business are the following: 

They increase the productivity and efficiency of business operations. 

They create new business models and revenue streams

They easily connect the physical business world to the digital world, which saves time and creates value. 

The tricky part is, whether we use them as home consumers or in our workplace, that they are convenient – IoT devices allow us to turn lights on and off remotely, unlock the front door when we are not even in the building or get Alexa or Siri to check our calendar for us. As Peter Milley says, in his paper Privacy and the Internet of Things,

This convenience comes at a price. The unfortunate reality is the companies making these devices, although well steeped in the challenges of manufacturing physical products, are not as well versed in software development. […] Appliance makers create back-door access for support personnel or hard-coded passwords and encryption keys to simplify manufacturing and support with little regard for security. Furthermore, they rarely take into account the need for regular patch maintenance and rely too heavily on the end-user to make security changes to their products.

Here are some aspects that threaten IoT security for business: 

1. Identity and access management 

Identity and access management is usually associated with end-users, but it also extends to devices and applications that need network and resource access. What they have access to and the legitimacy of their request in the first place must always be verified, because devices left exposed in various locations can be easily attacked and used by cybercriminals to infiltrate into your organisation. 

2. Data Integrity 

Data is essential for IoT operations and it’s also critical that its integrity is wholesome. Take measures to assure that your data has not been manipulated, neither while at-rest, in-transit or in-use. Don’t forget about personal data either. This kind of information and any data generated by an IoT device must be protected through encryption, whether it’s in-transit or at-rest. 

3. The great number of devices 

Another aspect that threatens IoT security for business is the use of a great number of devices. To be precise, integrating new systems and devices provides more points of access for potential attackers, which raises the security stakes exponentially. 

4. The simplicity of the devices 

IoT devices are being more and more used in various sectors, and even the most simple devices (like a fish-tank thermometer in a casino who can gather tens of GB of personal data and expose it to hackers, for example)  can be potential gateways to private segments of a company’s network. 

5. The physical protection and disposal of connected devices 

Anyone with physical access to some products can extract the owner’s password from the plaintext, private keys and root passwords. As companies adopt and upgrade IoT, it’s also important to consider the aspect of protection during use and disposal of old or defective smart devices. 

6. Malware on an industrial scale 

Hackers are developing more and more dangerous forms of malware, so companies must not forget to ensure the security of the industrial control systems that are connected and depending on IoT devices. 

7. GDPR Compliance 

Innovation always has the possibility to open potential loopholes for data protection.  The fines levied for GDPR exposure show that the European Commission regulators are very serious when it comes to ensuring that personal data remains private. There are some new security laws on the horizon that promise to hold device manufacturers accountable for vulnerable entry points, yet companies need to take more responsibility for the imperfections within their own IT architecture. 

8. Inertia

Inertia is, in general, one of the greatest cybersecurity threats of today. Technology constantly evolves, hackers elaborate more and more strategies to get what they desire, yet so many companies still rely on security tools developed decades ago. 

IoT security for business - IoT characteristics

Up to this point, the safety systems of a Saudi Arabian oil refinery has been targeted by the Triton industrial malware. Vast amounts of personal data have been accidentally exposed at the British Airways, Marriott Hotels and various local authority organisations. A group of hackers got access to impressive amounts of a casino’s sensitive information by using an Internet-connected thermometer in an aquarium. Don’t let anything like this happen to your company! 

Here are a few tips for flawless IoT security for business: 

1. Pay special attention when you choose the IoT devices providers 

Make sure that you choose a well-known and reliable supplier, most likely one who will probably still be around for a long time. IoT devices require regular updates, especially when new security flaws appear, so you need a manufacturer that, over the years, provides patches and fixes any security bugs that may arise. 

2.  Invest in a network analysis tool  

Monitor activity and quickly identify potential security issues by investing in a network analysis tool. This way you will not risk missing instances of information being accessed without permission or at unexpected hours – both signs that can point to a breach of your company’s IT system through IoT device. 

3. Consider network management protocols a priority 

IoT devices’ manufacturers often include an in-built protocol that allows the monitoring of internal activity. This usually isn’t enough if you want top security, so it’s crucial for your business to choose IoT devices that support Simple Network Management Protocols (SNMP). SNMP is a worldwide standard for network management, which allows them to be monitored by intrusion detection and prevention systems. 

4. Consolidate your network’s security 

It’s crucial to have an up-to-date router, with a firewall enabled, because it can be the first point of attack. If the router is compromised, your entire network will be vulnerable. 

5. Make sure your IoT devices get patched up

Security updates are often released by responsible manufacturers, but you must also make sure that your IoT devices are patched regularly, with the latest updates. If you happen to stumble upon a device that doesn’t receive updates, it’s best to think whether the benefits of the device surpass the potential impact of a potential attack in your company’s case. 

6. Remove unsupported operating systems, applications and devices from the network  

Improve your business’s IoT security by conducting an inventory to check which operating system a device might be running. If a certain operating system is not getting patches anymore, it shouldn’t be connected to the network. 

7. Narrow down internal and external port communication on your firewalls

Companies should restrict outbound communication if that communication is not particularly necessary. As Ciber Security Services says, 

“ Ports 80 and 443, typically associated with the internet, are common services that are open from the corporate network. But 80/443 might not be required for other VLANs associated with specific device types. These two ports are known to pose significant network threats since they allow web surfing, are rarely monitored and offer an entry path into the network. It is very common for malicious hackers and identity thieves to use those ports to exfiltrate data, as they are often left open in most organizations. This could allow a backdoor into the organization. ”

8. Last but not least, change default passwords! 

This may seem commonsense, but you must ensure that the default passwords are changed for every IoT device on your network. The new passwords should also be changed over a period of time and stored in a password vault. 

Heimdal™ Security can also help. Here’s how! 

You can ensure your IoT devices’ security by choosing Forseti, an Intrusion Prevention System that can actively protect your network and is delivered as Saas. Forseti can shield your organization from DNS queries to unwanted domains by stopping communication between infected devices and malicious servers, which guarantees that every device used in the perimeter of your company’s network will pose no danger to your business. Here we include any (possibly compromised) personal device that your employees or visitors use to connect to your corporate network. 

 
Heimdal Official Logo

Increasingly, hackers target organizations at network or DNS traffic level.

FORSETI

FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
  • Full DNS protection and full network logging.
  • Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and IOA/IOC add-on to your network.
  • An easy way to add network threat prevention, detection and blocking.
Try it for FREE today Offer valid only for companies.

Your organization’s protection can be also enhanced in the case of remote work with Thor Foresight Enterprise, our proactive DNS security solution deployed at the endpoint-level.

Wrapping up…

As i-SCOOP says, “despite challenges, different speeds and the fast evolutions which we will see until the first years of the next decade, the Internet of Things is here.” That, at the end of the day, the number of IoT security breaches is only going to grow is also a fact. Consequently, securing connected devices can no longer be treated as optional – it is mandatory. 

Please remember, though, that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture in the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post A Complete Guide to IoT Security for Your Business appeared first on Heimdal Security Blog.

What Is a Man-in-the-Middle Attack? How It Works and How to Stay Safe from It

While the nature of cyberattacks is constantly changing, and our lives become more and more influenced – if not affected – by global health problems, thus leaving our cybersecurity even more vulnerable, information remains the most powerful tool we have. When it comes to the cybersecurity of your business, the so-called man-in-the-middle attack is one of the threats you must be aware of. 

The three players involved in a man-in-the-middle attack are the victim, the entity with which he or she is trying to communicate and the man-in-the-middle, intercepting the victim’s communication. Essential to the success of this kind of attacks is that the victim isn’t aware of the man in the middle.

In other words, during a man-in-the-middle attack, a malicious player inserts him/herself into a conversation between two parties, impersonates both of them and gains access to the information that the two parties were trying to share. The malicious player intercepts, sends and receives data meant for someone else – or not meant to be sent at all, without either outside party knowing until it’s already too late. You might find the man-in-the-middle attack abbreviated in various ways: MITM, MitM, MiM or MIM. 

man-in-the-middle attack flow illustration

Image Source: veracode.com

Public Wi-Fi networks are most likely to be used during a man-in-the-middle attack because they usually are less secure than private Internet connections. Criminals get in the middle by compromising the Internet router, by scanning for unpatched flaws or other vulnerabilities. The next step is to intercept and decrypt the victim’s transmitted data using various techniques – about which we will tell you more below. 

The most susceptible for a man-in-the-middle attack are the financial sites, other sites that require a login and any connection meant to be secured by a public or private key. 

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.
– PREMIUM CRO

A man-in-the-middle attack can come in many shapes, yet the most common are the following: 

1. IP spoofing 

The Internet Protocol Address (IP) refers to a numerical label which is assigned to each device that connects to a computer network that uses the Internet Protocol for communication. IP addresses have two main functions: host or network interface identification and location addressing. By spoofing an IT address, attackers make you think that you’re interacting with a website or someone you’re not, thus allowing the attacker access to the information you’d otherwise keep to yourself.  

2. HTTPS spoofing 

The HyperText Transfer Protocol (HTTP) represents the foundation of data communication for the World Wide Web, hypertext documents including hyperlinks to other resources that users can access. HTTPS means that a particular website is secure and can be trusted. Despite that, attackers can fool your browser into believing it’s visiting a trusted website when it’s not. 

3. DNS Spoofing

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services or other connected to the Internet resources, which translates more readily memorized domain names to the numerical IP addresses needed for localization and identification. By DNS spoofing, an attacker’s goal is to divert traffic from a real website or capture user login credentials, trying to force you to access a fake one. 

4. SSL hijacking 

SSL stands for Secure Sockets Layers and is a type of protocol that establishes encrypted links between your browser and the webserver. A connection to a secure server (guaranteed by HTTPS) means that standard security protocols are in place, protecting whatever data you’re sharing to that server. When someone hijacks SSL, he/she uses another computer and another secure server to intercept all the information passing between the server and the user’s computer. 

5. E-mail hijacking

E-mail hijacking is a type of man-in-the-middle attack used by cybercriminals to target e-mail accounts of banks or other financial institutions. After they have obtained access, they could monitor transactions between an institution and its customers and convince them to follow the attacker’s instructions, and not the bank’s. The result? If you’re not paying enough attention, you may end up putting your money in the attacker’s pockets. 

6. Stealing browser cookies 

In technical language, cookies are small pieces of information – like items you add in the cart of an online store – that websites store on your computer. Since browser cookies can store passwords, addresses and various other types of sensitive information, they can become the target of cybercriminals. 

7. Wi-Fi eavesdropping 

This type of man-in-the-middle attack is particularly dangerous: hackers can set up Wi-Fi connections that sound very legitimate, similar to a business you know. Once a user connects to it, the cybercriminal will be able to monitor its online activity and intercept login credentials, payment card information etc. 

A man-in-the-middle attack is dangerous. End users can carry on with their business for days or even weeks without noticing that something is wrong. Consequently, it’s almost impossible to know, during that time, what data was exposed to malicious actors. Finding out more about what happened often requires good knowledge of the internet or mobile communication protocol and security practices. 

Fortunately, there are some security measures you can take in order to be safe. 

Here are some precautions that may help you to avoid a man-in-the-middle attack: 

1. Use a VPN 

A Virtual Private Network (VPN) is used to extend a private network across a public one, enabling users to share and receive data as if their devices were directly connected to that private network. Particularly useful when talking about preventing a man-in-the-middle attack is that VPN connections can mask your IP address by bouncing it through a private server. Plus, they can encrypt the data as it’s transmitted over the Internet. 

2. Access only HTTPS websites 

HTTPS websites prevent attackers from intercepting communications by encrypting data. 

An excellent method to go around HTTPS spoofing is by manually typing the web address you need instead of relying on links. 

You can also check if the link you want to access begins with ‘https://’ or has a lock symbol, suggesting it’s secure. 

3. Watch out for phishing scams 

There are lots of tips that we can give you regarding phishing precautions. 

– check grammar and punctuation. Suspicious e-mails might include poor grammar or punctuation or might show an illogical flow of content. 

– remember that established banks never ask you sensitive information via e-mail. Consider big red flags any e-mails that ask you to enter or verify personal details or bank/credit card information. 

– pay special attention to alarming e-mail content and messages where you are told that one of your accounts has been hacked, that your account has expired or other extreme issues that may provoke panic. Do not take immediate action!

– don’t fall for urgent deadlines either. This kind of e-mails usually leads the users to data harvesting websites, where sensitive personal or financial information are stolen. 

– beware of shortened links. They don’t show the real name of a website, so they are a perfect way to trick users into clicking. Get used to always place your cursor on shortened links to see the target location. 

4. Use strong router credentials 

Make sure that not only your Wi-Fi password but also router credentials are changed. In these credentials are found by an attacker, they can be used to change your DNS servers to their malicious ones or to infect your router with malware. 

5. Make sure your company has a software update policy

A software update policy helps you seal potential access points for a man-in-the-middle attack because up-to-date systems include all current security patches for known issues. The same should be considered for any routers or IoT devices connected to your network. 

6.  Adopt a zero-trust security model 

Although it might seem a little too much, requiring your colleagues to authenticate themselves each time they connect to your network regardless of where they are will make it more difficult for hackers to pretend to be someone else. They would need to prove their identity before accessing the network in the first place.  

Learn more about the zero-trust model and your organization will be more secure by default.

7. Prevent cookie stealing

Saving passwords on web browsers or storing credit card information on shopping websites might save you a bit of time, but it also leaves you more vulnerable to hackers. You should try to avoid storing sensitive information on websites and also get used to clear your cookies regularly. If you use Chrome, you can do this by accessing History > Clear Browsing History and ticking the checkbox “Cookies and other site data”. 

Heimdal™ Security can also help. Here’s how!  

As we have already seen, a man-in-the-middle attack can take various forms: IP, HTTPS or DNS Spoofing, SSL or e-mail hijacking, browser cookie theft or Wi-Fi eavesdropping. 

Some of the Heimdal™ solutions are perfect for protecting your business from them: 

Thor Foresight offers DNS and DoH security, plus a powerful and scalable Automated Patch Management system. Its DarkLayer Guard™ mitigates ransomware, next-gen attacks and data leakage. Its VectorN Detection™ tracks device to infrastructure communication and its X-Ploit Resilience feature closes vulnerabilities and deploys updates anywhere in the world. 

For paramount protection, you can combine it with Thor Vigilance, our antivirus solution with an unparalleled threat intelligence, EDR, forensics and firewall integration.   

For your e-mail security, we have developed MailSentry. MailSentry E-mail Security can help you detect malware, and stop spam, malicious URLs and phishing with simple integration and highly customizable control. If you want to take one step further, MailSentry Fraud Prevention will make sure that no e-mails containing fraud attempts, business e-mail compromise or impersonation reach your inbox. 

Heimdal Official Logo

Email communications are the first entry point into an organization’s systems.

MailSentry

is the next-level mail protection system which secures all your
incoming and outgoing comunications
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);
Try it for FREE today Offer valid only for companies.
– MAILSENTRY CRO

Wrapping up…

When trying to prevent a man-in-the-middle attack, there are three major aspects you must consider:

awareness & education. People are the ones who unknowingly click on bad links or use their login data on a compromised website, allowing hackers access to their information, so making sure that your colleagues and employees know the basic principles of preventing MITM attacks is essential. 

encryption & VPNs. Use encryption on all of your company’s devices and use VPNs whenever you connect to public networks, for extra protection. 

software update policy. Make sure that all your systems are up-to-date. Even a single point of failure can put your entire network in danger. 

Also, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company against cyber threats and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your thoughts!

 

The post What Is a Man-in-the-Middle Attack? How It Works and How to Stay Safe from It appeared first on Heimdal Security Blog.